docker网络的基本配置
- 默认网络
- None网路
- Host网络
- Bridge网络
- 自定义网络
- 容器之间的互通
- 容器与外部网络互相访问
默认网络
使用docker network ls查看
docker network ls
NETWORK ID NAME DRIVER SCOPE
0bd3ee847342 bridge bridge local
aa4c159d7c35 host host local
c34d73cf4f4c none null local
在运行容器设置网络时使用 --network=网络模式
None网路
封闭式网络,除了lo没有其他任何网卡,对于一些安全性要求高且不需要联网的容器可以使用
docker run -it --network=none busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
Host网络
连接到host主机网络上,容器的网络配置与host一模一样。使用此网络的好处在于性能,传输速度较快,缺点就是牺牲灵活性,需要考虑端口冲突
docker run -it --network=none busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
/ # [root@localhost ~]# docker run -it --network=host busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0c:29:9b:dd:81 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::be66:df93:c10c:4bc4/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 02:42:cb:1d:72:0a brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
Bridge网络
docker安装时会创建一个名字为docker0的brdge,创建容器默认都会挂到docker0上
brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242cb1d720a no
创建一个容器
docker run -it busybox
brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.0242cb1d720a no vethd4e63b6
##可以发现vethd4e63b6挂在了docker0下
容器网络配置
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
##可以查看bridge的网络配置
##部分截图
docker inspect bridge
[
{
"Name": "bridge",
"Id": "0bd3ee847342096d61d4112dcd971263afec86644dfd123688f103824d18e434",
"Created": "2020-05-30T16:27:07.511859077+08:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16", ##默认网段容器创建时会从此网段分配网络ip
"Gateway": "172.17.0.1"
}
]
},
自定义网络
Docker提供了三种 user-defined网络驱动:brdge、overlay、macvlan。overlay与macvlan用于创建跨主机网络
使用 docker network create [OPTIONS] NETWORK 创建网路
##通过bridge驱动创建网络
docker network create --driver bridge --subnet 192.168.100.0/24 --gateway 192.168.100.254 my_net
6cf07f86475c9aefb7e2426945798d45562ad0aee8b17d093c8e7585b1bb8c1b
##参数说明:
--driver:指定网络驱动
--subnet:指定网段
--gateway:指定网关
注:如果不使用--subnet与--gateway指定网络 网段与网关 docker会自动分配网段
网络信息
ip a |grep br-
6: br-6cf07f86475c: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
inet 192.168.100.254/24 brd 192.168.100.255 scope global br-6cf07f86475c
docker inspect -f {{.IPAM.Config}} my_net
[{192.168.100.0/24 192.168.100.254 map[]}]
容器运行时使用–netwok指定新的网络–ip定义网络ip
docker run -it --network my_net --ip 192.168.100.2 busybox
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:c0:a8:64:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.2/24 brd 192.168.100.255 scope global eth0
valid_lft forever preferred_lft forever
##不使用--ip参数会自动分配
容器之间的互通
容器在同一个网络下可以互通
将两台busybox挂在my_net下
docker run -it --network my_net busybox
网络为192.168.100.1与100.2
/ # ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: seq=0 ttl=64 time=0.225 ms
64 bytes from 192.168.100.2: seq=1 ttl=64 time=0.064 ms
容器在不同网络下实现互通
查看host路由
ip r
default via 192.168.1.2 dev ens33 proto static metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.1.0/24 dev ens33 proto kernel scope link src 192.168.1.10 metric 100
192.168.100.0/24 dev br-6cf07f86475c proto kernel scope link src 192.168.100.254
查看路由转发是否开启
sysctl -a | grep ip_forward
net.ipv4.ip_forward = 1
运行两台容器
mynet:192.168.100.1
bridge:172.17.0.2
/ # ping 172.17.0.2
PING 172.17.0.2 (172.17.0.2): 56 data bytes
此时还是ping不同原因在于iptables Drop掉了两个网络之间的双向流量
iptables-save
...
-A DOCKER-ISOLATION-STAGE-1 -i br-6cf07f86475c ! -o br-6cf07f86475c -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
...
实现方法
使用 docker network connect [OPTIONS] NETWORK CONTAINER 命令给网桥模式的容器添加一块网卡
docker network connect my_net bf8b2ee0d8af
添加前网络信息
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
添加后网络信息
##多了一块eth1@if18的网卡 ip为192.168.100.2
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
15: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
17: eth1@if18: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue
link/ether 02:42:c0:a8:64:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.2/24 brd 192.168.100.255 scope global eth1
valid_lft forever preferred_lft forever
##实现互通
/ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: seq=0 ttl=64 time=0.068 ms
64 bytes from 192.168.100.1: seq=1 ttl=64 time=0.174 ms
容器与外部网络互相访问
容器默认就可以访问外部
/ # ping baidu.com
PING baidu.com (39.156.69.79): 56 data bytes
64 bytes from 39.156.69.79: seq=0 ttl=127 time=8.261 ms
iptables-save
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
外部访问容器
使用端口映射,启动容器时可以使用 -p 参数映射端口
##将容器中的80端口随机绑定host未使用的端口
docker run -dit -p 80 httpd
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
896f3a03de43 httpd "httpd-foreground" 3 seconds ago Up 2 seconds 0.0.0.0:32768->80/tcp confident_lewin
curl 192.168.1.10:32768
<html><body><h1>It works!</h1></body></html>
##将容器的80端口固定绑定host8080端口
docker run -dit -p 8080:80 httpd
curl 192.168.1.10:8080
<html><body><h1>It works!</h1></body></html>
每一个端口映射,host都会启动一个docker-proxy来处理访问容器的流量
ps -ef | grep docker-proxy
root 5001 1105 0 17:45 ? 00:00:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8080 -container-ip 172.17.0.2 -container-port 80
root 5265 1621 0 17:48 pts/0 00:00:00 grep --color=auto docker-proxy
当curl 192.168.1.10:8080时,docker-proxy会转发给容器172.17.0.2:80,httpd响应请求并返回结果